The internet of things & security
It is safe to say that, while you might not have heard of the Internet of Things (IoT) a few years ago, you are now coming across the term all the time.
As the inter-networking of devices embedded with software and sensors, the IoT enables connected devices and other objects to collect and exchange data. This allows individuals to control their thermostats from the office and security personnel to monitor video cameras at remote locations.
While this increased connection has improved efficiencies and accessibility, it has also made us more vulnerable. These vulnerabilities are one of the reasons that the IoT often gets a negative press. We often hear about it in relation to high profile or far reaching criminal cyber activity.
Just last October, we saw the Mirai Distributed Denial of Service (DDoS) attack take many high profile websites offline, including Twitter, Reddit, Github and Spotify. The attack was launched with the help of hacked IoT devices such as CCTV video cameras and digital video recorders which were commandeered to overload the systems of Domain Name System provider DYN. Many of the individuals and organisations whose devices were hijacked wouldn’t have even known that their infrastructure was being deployed to carry out the attack. Therefore, we all suffer when poorly designed or misconfigured hardware is connected to the internet.
Greater connectivity can increase vulnerability
IP-enabled devices, from CCTV cameras and smart TVs to connected thermostats and Bluetooth trackers, can all be vulnerable to a wide variety of criminal cyber activity. If not properly secured, they have the potential to offer an entry-point into personal, corporate, and governmental networks that can be exploited to extricate confidential data.
In addition to threatening privacy, criminal cyber-activity can mean huge financial losses for organisations and individuals. As we become more reliant on web-based services and devices, we run the risk of making ourselves even more vulnerable, particularly if we fail to understand the importance of cyber security in relation to the IoT.
What individuals and private citizens can do
While there is always a trade-off, safety does not have to come at the expense of convenience and efficiency. In fact, there are some basic steps we can all take to keep ourselves and our networks more secure.
The first step is to ask yourself if you really need to have all of your appliances on the IoT.
If you determine that your device or object –CCTV camera, access controlled door – must be connected to the IoT, then changing the default password when you install it is paramount. Increasingly, particularly in the security industry, vendors are ensuring that this happens by making it a required step in the installation process.
Another simple measure is to ensure all devices are regularly updated with the latest firmware and that security patches are applied in a timely fashion. 99.9% of data breaches have been shown to exploit a vulnerability that was at least a year old and for which a security update was widely available.
Common sense considerations
For those of us in the security sector, focusing on cyber security and the security of our security networks is a natural extension of what we already do. We understand the importance of anticipating vulnerabilities and keeping systems safe as part of the development of our solutions. There are several steps that we must all take to maintain and improve network security, particularly as the IoT expands. These steps include:
Authentication: the process of determining if an entity – user, server, or client app – is who it claims to be and then verifying if and how that entity is allowed to access a system.
Authorisation: where administrators restrict the scope of activity within their system by giving access rights to groups or individuals for resources, data or applications and by defining what users can do with these resources.
Encryption: protect information and data by using an algorithm to translate plaintext or readable text into ciphertext or unreadable text.
How organisations can secure their networks
But beyond what we can do at the software and device levels, there are also steps to be taken by organisations that will help keep their networks more secure.
When it comes to purchasing and installing security devices, organisations should do business with companies who are thinking about cyber security and are building it into the products and services they provide.
To improve their own cyber security, organisations should be working with companies that demonstrate a strong commitment to data security.
Before purchasing a product or engaging a service, there are a number of questions that should be asked to infer the prospective provider’s level of security maturity:
- Have they invested the time and money in achieving recognised certifications such as ISO 27001?
- Does the company have a security page on their website?
- Do they encourage customers and end users to tell them about vulnerabilities?
- Do they make patches easily available?
- Is there a public way to access the documentation?
Everyone in every organisation has a part to play. Of course, cyber security needs to be addressed and prioritised by the C-Suite. When exploited, network vulnerabilities can cost an organisation untold amounts of money and can potentially expose sensitive data. In addition, particularly with the move toward bringing your own device (BYOD) to work, employees also need to ensure that the devices they use and connect to the network are secure and that all their apps are up to date. In this way, they can work to ensure that they aren’t creating vulnerabilities within the office network.
Governments, organisations and individuals can continue to benefit from the increased convenience and accessibility provided to us by the IoT. We just need to focus on adhering to the security measures already in place and adapting to those yet to come.
Mathieu Chevalier
Lead Security Architect, Genetec Inc.
